What's New?

• The Security Controls REST API has been updated to provide more control of cultures and to enable specifying an instance name if required when deploying patches. For more information, see API help (opens in a new window).
• Windows Server 2012 and Windows Server 2012 R2 clients are supported with Microsoft Extended Security Updates (ESU) and an Ivanti ESU – contact your Ivanti supplier.
• Windows Server 2012 and Windows Server 2012 R2 are no longer supported for the console. For a complete list of supported platforms, see System Requirements.
• The Ivanti Security Controls Diagnostic Toolkit, which provides utilities to help diagnose your system and provide information to support is now available. For more information, see Security Controls Diagnostic Toolkit Release Notes (opens in a new window).

• You can now edit machine details using the REST API. For more information about the REST API, see the separate help (opens in a new window).
• During the automatic cleanup of the download directory, core files are not deleted if the download directory is set to be used as a distribution server. For more information, see Download Options.
• Accessibility improvements.

•Use of the Ivanti Scheduler has been discontinued. The Microsoft Scheduler has been improved to the point that the Ivanti Scheduler is no longer needed. The Microsoft Scheduler is now the default scheduler service and is used when performing power state and patch deployment tasks on remote machines. The scheduler is used to initiate the tasks at the specified time, whether immediately or at some specified time.

With the deprecation of the Ivanti Scheduler, port 5120 is no longer required to be an allowed port in your firewall settings. In addition, when you are certain that all scheduled tasks still using the Ivanti Scheduler have been run, you should remove the Ivanti Scheduler from your target machines.

•A deployment tool is now being pushed to target machines when a patch deployment is performed from the console. The tool is used to execute a deployment package on the target machine. The capabilities of the deployment tool are not new; they used to be included with the Ivanti Scheduler. With the deprecation of the Ivanti Scheduler, however, the deployment tool is now being delivered as a separate component. It will automatically be pushed to target machines when needed. If needed, you can remove the deployment tool from a target machine by right-clicking the machine in Machine View and using the Uninstall deployment tool command.

•For offline virtual machines, patching products installed on virtual disks with the disk mode set to either Independent – Persistent or Independent – Nonpersistent is not supported. If a virtual machine has both dependent and independent disks, you can still install patches for products that are installed on the dependent disks.

•Support for ESXi 6.0 has been dropped and support for ESXi 8.00 and 8.0.1 added. The supported versions of VMware ESXi hypervisors are now ESXi 6.5, ESXi 6.7, ESXi 7.0, ESXi 8.00, and ESXi 8.0.1.

•Removed Microsoft Visual C++ Redistributable for Visual Studio 2013 as a prerequisite software requirement for the console

•A number of known issues have been resolved. See the Security Controls 2023.2 Release Notes for the complete list of resolved issues.

•The Validate Against Known Hosts File option is now available when configuring the SSH server connection process. You should choose this option if you want to use the known_hosts file to validate each target machine before allowing an SSH connection.

•The user interface has been refreshed with new icons and colors, providing a more modern look. A new skin that mimics the look and feel of Windows 11 has also been added. The skin is named WXI and can be found on the Display tab of the Options dialog. WXI is the new default option.

•A number of known issues have been resolved. See the Security Controls 2023.1 Release Notes for the complete list of resolved issues.

•A new "Automate to Compliance" REST API script is now available. The script automates the steps in the patch process (scan, deploy, reboot), repeating the steps until all patches have been deployed to the designated machines.

•The Patch Metadata function in the REST API has been enhanced to provide better sorting and pagination capabilities when viewing the query results.

•The agent client program has been updated. Much more information is now provided in the patch task logs about the patch status (downloads, installs, success, failure, error messages).

•A security enhancement has been made to the SSH server connection process. You now have the option to specify if an SSH connection can be used when the console communicates with an endpoint that supports SSH and for which SMB fails.

•More information has been added to the error codes that are displayed in the Windows deployment history tab in Machine View.

•Deprecation of Windows 8.1: Support for the Security Controls console on the Windows 8.1 operating system is scheduled to end in January 2023.

•A number of known issues have been resolved. See the Security Controls 2022.4 Release Notes for the complete list of resolved issues.

•The ability to automatically clean up your patch download directory and your distribution server(s). Any patches that are unlikely to be used in the future will be deleted from these locations, saving disk space. This option is configured on the Tools > Options > Downloads tab.

•The number of thread pools used when scanning machine groups that contain machines defined by an IP range, a domain or an organizational unit is now automatically capped. This will improve performance by limiting the number of machine groups that can be scanned at one time, keeping the console machine's processors from becoming overloaded. For more details, see the information on the Global thread pool option.

•Localized versions of the agent user interface are now available.

•You now have the option to specify if the agent user interface will be installed. The agent client currently requires the use of .NET 6, and it will likely continue to be updated in the future to use newer versions of .NET as they become available. One of the reasons you may not want the agent client installed is if you have other applications on your machines that also require the use of .NET. If the agent client is not needed, you can shield those machines from the reboots and other effects that occur when an agent is updated to support a new version of .NET.

•Two new Linux patch attributes are now stored in the database and are available for reporting purposes: InstalledOn date and Notification > Title.

•In addition to checking for application updates and End-of-Life notices on launch, the Security Controls console will now check for updates and notices every 24 hours while the Security Controls console remains open. The administrator can snooze the notifications for up to seven days at a time.

•The Security Controls Cloud website has been refreshed. It now has an updated style that is consistent with other Ivanti sites, and modern client libraries are used to help ensure the most secure browsing experience.

•A number of known issues have been resolved. See the Security Controls 2022.3 Release Notes for the complete list of resolved issues.

•An example PowerShell script has been added to the Security Controls REST API Help. This script shows how to add specific KBs to a new patch group or to existing patch groups. If you need to add an out-of-band security patch to many patch groups at once, this script simplifies the process.

•Additional options allow you to more precisely specify which language should be used within the Security Controls interface. In the Tools > Options > Display Options dialog, you can either select a specific language or let the console machine's operating system language setting specify which language should be used. The new language options are applied on a per user basis.

•Support for Red Hat Enterprise Linux 6 has ended. This is because Red Hat has stopped providing maintenance support for Red Hat Enterprise Linux 6.

•Corrected a daylight savings time issue that sometimes caused scheduled scans to run one hour late or become disabled. The fix adds a periodic check that re-enables the scheduled scans.

•A number of known issues have been resolved. See the Security Controls 2022.2 Release Notes for the complete list of resolved issues.

•More complete information is now provided in Machine View and in reports for virtual machines that contain the same name. Previously, only one entry would be created for hosted online virtual machines that had the same name but different vCenter paths. With this release the machines are listed separately, with complete host data path information provided for each machine to show the distinction between the machines.

•An updated Application Control engine component is being made available.

•Additional context is provided on an error message that precedes the unexpected closing of the Security Controls console. The new text makes it clear that the console is closing because it was unable to download the required content data.

•A number of known issues have been resolved. See the Security Controls 2022.1 Release Notes for the complete list of resolved issues.

Ability to Delete a User Whose Credentials are Shared with Other Users

The User Role Assignment dialog has been replaced by the new User Manager dialog. In addition to allowing you to assign different roles to different users, the User Manager dialog now allows you to delete any users who should no longer have access to Security Controls. For example, if one of your administrators has been assigned to a different project or has left your organization, you will want to delete that user. If the user being deleted is currently sharing credentials with one or more users or with background services, you are able to clean up all shared credential associations before you delete the user.

Improved Windows Agent Client Program

The agent client program has been totally reworked, providing an updated look and feel. In addition, the program provides more troubleshooting information and does a better job of presenting the information.

Windows 11 and Windows Server 2022 Support

Support has been added for Windows 11 and Windows Server 2022 for use as a console and on target machines that require patching.

•A number of known issues have been resolved. See the Security Controls 2021.2 Update 1 Release Notes for the complete list of resolved issues.

•The supported versions of VMware ESXi hypervisors are now ESXi 6.0, ESXi 6.5, ESXi 6.7 and ESXi 7.0. Support for ESXi 5.x has been dropped.

If you are using ESXI 7.0 Update 1 or later, the patch offline bundle must be installed on your hypervisor. For more information, see the VMware ESXi 7.0 Update 1 Release Notes.

•The following operating systems are no longer supported:

•The Security Controls console is no longer supported on Windows Server 2008 R2 and Windows 7 operating systems

•The Security Controls agent is no longer supported on Windows 8 and CentOS 6 operating systems

•Agentless operations are no longer supported on Windows XP, Windows Server 2003, Windows Vista and Windows 8 operating systems

Sideload Patches

Sideloading refers to the process of managing patches that cannot be automatically downloaded. The sideload feature greatly simplifies this process. You will need to manually download the patch file, but after that the sideload feature takes over and provides a number of automated services. Specifically, the feature will verify the contents of the manually downloaded patch, rename the file if needed and then automatically save the patch file to the patch download directory. Once there, the patch is ready to be deployed using the normal deployment process.

Automatically Delete Inactive Machines from the Database

The ability to automatically delete inactive machines from the database has been added to the Database Maintenance tool. An inactive machine can be a machine that has not had an agent check in with the console, been assessed or been included in a patch deployment for the specified number of days. This is important, because inactive machines do not accurately depict the current state of your organization.

Continuous Agentless Scanning

You now have the option to configure agentless patch scanning operations on intervals as short as three minutes. This provides the ability to perform nearly continuous scans of a designated machine group.

Scripted Scans and Deployments Using CVEs

A detailed series of PowerShell scripts is provided that show how to scan for and deploy patches using input from a CVE file. The scripts invoke the REST API and perform a number of tasks, including:

•Parsing a CVE file and converting the content to a patch group

•Creating a scan template that scans for the patches contained in the patch group

•Optionally deploying any missing patches

Workstation and Server License Information

Additional details about your current license status are now available in two different locations. You can:

•Select Help > About Ivanti Security Controls on the console to view the number of deployment license seats currently used for both your servers and your workstations.

•Generate a Detailed License Status report that shows the number of available licensed seats, the number of seats used, how and when the seats were consumed and when they will be available again.

•Added a new Configuration method in the REST API that enables you to display version information for the Security Controls console.

•In the Patch Deployments method in the REST API help, a DeploymentResult table has been added containing the codes that identify the various states of a deployment.

•In the Machines method in the REST API help:

•Added the credentialId field to the output model

•Added new PUT operations for assigning and unassigning a credential to a machine

•Added Port 902 information to the Port Requirements table in the System Requirements

•Ended support for CentOS 6 Linux clients. This is because Red Hat has stopped providing maintenance support for CentOS 6.

Connect to Machines by Fully Qualified Domain Name (FQDN)

Prior to this release, the Security Controls console made connections with clients using the IP address of the machines. Some networks, however, have begun to operate in stricter environments that employ the use of additional Kerberos security measures. In particular, if the client machines in your environment establish a connection with servers using the Server Message Block (SMB) protocol, a certain level of validation may be required to be performed on the client's Service Principal Name (SPN). For these networks, you now have the option to choose Fully Qualified Domain Name (FQDN) as your connection method. Doing so will satisfy the additional validation requirements and enable successful connections to your client machines.

Copy Usages Button

For a shared credential, this new button enables you to add any credential usage that is not already being used by your user account. You might do this if the credential owner, or another user who is sharing the credential, has added one or more new usages since the credential was initially shared with you and you want to keep in sync with those changes.

REST API Enhancements

Several new capabilities have been added to the following functional areas in the REST API:

•Patch Metadata: Support has been added for IAVA IDs, and you can now sort and paginate the results of queries. This is implemented with the introduction of three new query URL parameters: iavaIds, orderBy and sortOrder. In addition, nine new output fields are now available: affectedProducts, bulletinTitle, familyId, familyName, fileSize, iava, summary, vendorId and vendorName.

•Machine Groups: The connectionMethod property has been added to the input and output models. This is being done in conjunction with the Connect to Machines by Fully Qualified Domain Name (FQDN) feature (see above).

•Patch Scans: You are now able to specify the connection method in conjunction with the endpoint names specified for scanning. This is being done in conjunction with the Connect to Machines by Fully Qualified Domain Name (FQDN) feature (see above).

•Agent Deployments: The connectionMethod property has been added to the input model. This is being done in conjunction with the Connect to Machines by Fully Qualified Domain Name (FQDN) feature (see above).

•Patch Deployments: You now have the ability to deploy specific patches to specific machines using a designated deployment template. This provides an integrated patching solution for Ivanti Neurons customers, and it is useful for existing on-premise customers who wish to tailor their patch deployment. The following input parameters are now available: deployWhat, machines, and runAsDefault.

Support for Red Hat Enterprise Linux 8

All vendor-supported Server, Workstation, Client and Computer Node variants of RHEL 8 (64-bit only) machines are now able to be scanned and patched using agents.

Support for RHEL 8 is made possible through an update to the dynamic data content that is provided by Ivanti. This means that the two previous versions of Security Controls, 2019.3 and 2020.1, are now also able to support RHEL 8.

Shared Credentials

You can now share credentials with one or more users. This is especially useful in multi-admin environments, as it enables a senior administrator to delegate operations to junior administrators. The junior administrators can interact with endpoints using a secure credential without knowing the password for that credential. In addition, when a password needs updating, it can be updated from a single location.

Grouping of Machines in Machine View and Scan View

The new Assigned Groups column in Machine View and Scan View enables you to group related machines, making it easier to perform agentless operations and generate reports on the machines. This column is particularly useful for machines such as Cloud agents, as those machines do not belong to a machine group. With the Assigned Group feature, you can now group those machines with other machines that share similar attributes, such as the same physical location or agent policy.

Improved Product Licensing Process

A new credentials-based activation method is now available that enables you to specify exactly how many of your available license seats you want to consume on a specific entitlement. This method will be used by new customers who have an internet connection from the console. The legacy key-based activation method is still supported for existing customers who are upgrading and for customers who need to activate from within a disconnected network.

Additional REST API Functionality

The following functional areas are now available through the REST API:

•Cloud Sync

•Machines

•Users

The ability to share credentials and assign a machine to a group has also been added. For complete information, see the REST API help.

Deep Rebrand

References to outdated company and product names have been scrubbed. Directory paths and other items that contain company and/or product names are now current.

Software Distribution Notification

A notification dialog is now provided whenever you add a software distribution patch to a patch group or initiate a scan for third-party applications. This warning will help prevent the inadvertent installation of third-party applications on your endpoints.

Improved List of Port Requirements

The Port Requirements table in the System Requirements help topic now contains much greater detail.

Patch Breakdown Column Renamed to Health

Within Machine View and Scan View, the Patch breakdown column has been renamed to Health. The new name better reflects the purpose of the column, which is to indicate the "health" of a machine by providing a visual representation of the percentage of installed patches vs missing patches.

Carry Original Scan Name into the Associated Deployment Name

When a patch scan is followed by an automatic patch deployment, the scan name is now associated with the corresponding deployment operation.

Linux Listening Agents

Support is now provided for Linux listening agents. This means that the agents on Linux machines are able to listen to the console for policy updates or commands.

Additional REST API Functionality

The following functional areas are now available through the REST API:

•Agents

•Agent Deployments

•Agent Tasks

•Linux Patch Deployment Configurations

•Linux Patch Group

•Linux Patch Metadata

•Linux Patch Scan Configurations

•Policies

•Product Level Group

For complete information on using each of these functional areas, see the REST API Help.

AC Configuration Versioning

You can now create different versions of a configuration. Each time a modification is made a new version is created which enables the review and auditing of changes. It also means that previous versions of your configuration remain available which you can rollback to if required.

Specific versions of a configuration can be assigned to an Agent Policy.

Deletion of specific versions is now also possible.

For further details, see Manage AC Configurations.

AC Configuration Comparison Tool

The configuration comparison tool has been introduced so you can easily compare two different configurations or two different versions of the same configuration. Change tracking can quickly be identified and located.

For further details, see Configuration Comparison Tool.

Improved Graphics

The icons and images in the main console have been updated to use a scalable vector graphics (SVG) format. This means the console has proper high DPI support and will scale correctly on machines that have font settings greater than 100%.

Intelligent Linux Agent Installations

When installing an agent on a Linux machine, checks will be made to see if the Linux machine is properly configured to support all agent functionality. If something is amiss (for example, if the machine's Red Hat subscription is not current), the installation will fail and a message will be displayed informing you of the situation.

AC Message Settings Enhancements

The message box enhancements include:

•Option to include a company logo as a graphic in the message box.

•Easily resize the message box in the preview, all values of the resize are retained when the preview is closed.

•Option to include a colored text banner in the message.

•More descriptive default text in the message body.

For further details, see Configuration Message Settings.

Rule Collections

There is now only one type of Rule Collection, in previous versions this was split between Executable Control Rule Collections and Privilege Management Rule Collections. For further details see Rule Collections